[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

EP2656649A1 - Preventing roaming user terminal re-authentication - Google Patents

Preventing roaming user terminal re-authentication

Info

Publication number
EP2656649A1
EP2656649A1 EP11851034.6A EP11851034A EP2656649A1 EP 2656649 A1 EP2656649 A1 EP 2656649A1 EP 11851034 A EP11851034 A EP 11851034A EP 2656649 A1 EP2656649 A1 EP 2656649A1
Authority
EP
European Patent Office
Prior art keywords
user terminal
roaming user
vlan
roaming
bras
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP11851034.6A
Other languages
German (de)
French (fr)
Other versions
EP2656649A4 (en
Inventor
Xiangqing Chang
Yang Shi
Jianfeng Liu
Haitao Zhang
Tao Zheng
Min Yao
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Publication of EP2656649A1 publication Critical patent/EP2656649A1/en
Publication of EP2656649A4 publication Critical patent/EP2656649A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • Computing devices are becoming more mobile and more connected.
  • a wireless computing device migrates from a first access point to a second access point within a wireless network, re-authentication may be triggered.
  • the re-authentication can disrupt the wireless service to the computing device and may disrupt the user's experience.
  • FIG. 1 is a diagram of a wireless network, according to one example of principles described herein.
  • FIG. 2 is a flowchart of an illustrative method for preventing a roaming user terminal from re-authentication, according to one example of principles described herein.
  • FIG. 3 is a diagram of an illustrative system for preventing a roaming user terminal from re-authenticating, according to one example of principles described herein.
  • Fig. 4 is a diagram of an illustrative system for preventing a roaming user terminal from re-authenticating, according to one example of principles described herein.
  • Computing devices can connect to each other and a variety of networks using a number of communication technologies.
  • Wireless Local Area Network (WLAN) technologies are a communication technology that is widely used and includes the popular Wireless Fidelity (Wi-Fi) technology.
  • Wi-Fi Wireless Fidelity
  • Wireless networking allows two or more points to communicate that are not physically connected.
  • Fig. 1 shows a centralized WLAN architecture (100) that includes Access Controllers (AC) (120, 122) and Access Points (AP) (125).
  • the access controllers (120,122) can provide session control and traffic/bandwidth management for access points (125,127). For example, the access controllers (120,122) may make automatic adjustments to the transmitting power, channels, authentication, and security.
  • the access points (125, 127) provide wireless connectivity to remote user terminals (130) by receiving and sending of wireless packets.
  • the access controllers (120, 122) may be part of a mobility domain to allow clients access throughout large or regional office locations.
  • the remote user terminal (130) can switch from a first access point (125) to a second access point (127) by dropping connectivity with a first access point (125) and picking up connectivity with a second access point (127). This often requires re-authentication of the remote user terminal (130). The re- authentication can disrupt the wireless service to the remote user terminal (130) and may disrupt the user's experience.
  • the BRAS (1 10) routes traffic between the access controllers (120,122) and a network (105).
  • the network may be a Metropolitan Area Network (MAN) that accesses the internet.
  • the BRAS (1 10) aggregates remote user terminal (130) sessions from the access controllers (120,122), injects policy management and enforces quality of service policies.
  • the BRAS (1 10) is also responsible for assigning network parameters such as Internet Protocol (IP) addresses to the clients.
  • IP Internet Protocol
  • a remote user terminal is authenticated by sending an access request to the access controller (120) via an access point (125). This access request is then passed to the BRAS (1 10).
  • the BRAS (1 10) sends an authentication request and corresponding user information to an Authentication, Authorization, Accounting server (AAA server) (1 15).
  • the AAA server (1 15) determines whether the remote user terminal (130) is a valid user, validates user credentials, and determines which serving strategy should be applied for the user, and sends the results to the BRAS (1 10) device.
  • the BRAS (1 10) device executes actions according to results returned by the AAA server (1 15).
  • the remote user terminal (130) can then access the network (105).
  • Wireless networks are adapted to provide connectivity to a variety of remote user terminals (130).
  • a remote user terminal (130) migrates from a first access point (125) to a second access point (127)
  • the user's IP address within the Virtual Local Area Network (VLAN) may change.
  • this re-authentication may include sending a re- authentication request from the remote user terminal (130) through the new access point (127) and its associated access controller (122) to the BRAS (1 10).
  • the BRAS (1 10) then sends the authentication request to the AAA server (1 15).
  • the BRAS (1 10) provides access to the remote user terminal (130) through the new access point (127) via its associated access controller (122). This process can disrupt communication between the remote user terminal (130) and the network (105). This disruption in service can significantly affect a user's experience. For example, if the user is consuming streaming media, the media stream would be disrupted. If the user is downloading a file, the downloading may be terminated and the user may have to start over with the download.
  • re-authentication can be prevented by modifying the user's credentials and/or communication stream at the access controller (120, 122) to conceal the migration between access points (125) from BRAS(1 10). For example, the access controller (120, 122) determines when a remote user terminal (130) moves between access points (125). Then the access controller (120, 122) can encapsulate packets sent from the wireless network (105) and passed to the BRAS (1 10) so that the packets appear to have originated with the original access point (125). Thus, although the user is roaming, the BRAS (1 10) does not perceive the change in wireless access points and the IP address of the remote user terminal (130) remains the same.
  • the two access controllers (120, 122) can synchronize remote user terminal (130) information and continue to mask the migration between access points (125, 127).
  • Data from the network (105) addressed to the remote user terminal (130) is transmitted transparently to the original access controller (120) and then forwarded to the new access controller (122) for distribution to the remote user terminal (130).
  • This method shields migration of the remote user terminal (130) from the BRAS (1 10) but can create a number of inefficiencies in the wireless network (105). For example, the BRAS (1 10) is unaware of the actual location of the remote user terminal (130) and is unable to accurately assess bandwidth controls and quality of services policies. This technique can also interfere with individualized control of different access points (125, 127).
  • Fig. 2 is a flowchart of one illustrative method for preventing a roaming user terminal from re-authentication.
  • a roaming wireless device communicates wirelessly with an access controller for WLAN correlation, to request access to the network, and to provide user data related with various network application services.
  • the user data may include a Uniform Resource Locator (URL) that the user desires to view on an internet browser.
  • URL Uniform Resource Locator
  • the access controller detects whether the wireless device has changed access points or moved between Virtual Local Area Networks (VLAN).
  • VLAN is a group of hosts with a common set of requirements that communicate as if they are attached to the same broadcast domain, regardless of their physical location. If no change is detected, the method proceeds to block 209 and provides the user with authentication and with direct access to the network as described above. If the access controller determines that the user has migrated to a different access point or VLAN, the access controller stores information identifying the change and the method proceeds to block 203.
  • VLAN Virtual Local Area Networks
  • the first access point (125) may directly transmit the request transparently to the AC via a channel established between the first access point (125) and the AC. Subsequently, the AC may allow the WLAN terminal to access with correlation, record user information and AP information of the WLAN terminal.
  • the WLAN terminal may actively trigger roaming process, that is to say, may actively send a packet for re-correlation to the second access point (127).
  • the second access point (127) may not process the received packet for re-correlation, instead, send the packet to the AC via a channel established between the AC and the second access point (127).
  • the AC may find that the WLAN terminal has already been correlated, learn the WLAN terminal currently accesses with a new access point, and confirm the WLAN terminal is a roaming user terminal.
  • the AC may allow the WLAN terminal to re-correlate with the second access point (127).
  • the WLAN terminal may send a packet to cancel the correlation with the first access point (125). The roaming is terminated.
  • the access controller compares the current connection information of the roaming user terminal with the original pre- roaming connection information. This allows the access controller to determine if the migrating roaming user terminal is a legal user.
  • there are two kinds of roaming which are respectively roaming within an access controller and roaming between access controllers.
  • a same access controller may directly obtain pre- roaming information.
  • a roaming group may be set to include a pre-roaming access controller and an after-roaming access controller.
  • the pre-roaming access controller and the after-roaming access controller may synchronize user information.
  • the after-roaming access controller may learn pre-roaming information of a user by querying synchronized information.
  • the access controller reports the current connection information of the wireless device to the BRAS.
  • Reported information of the roaming user terminal may include:
  • An identifier of a logic port accessed by the roaming user terminal an access controller name/identifier+ an AP name/identifier + an actual radio name/identifier+ a logic port name/identifier;
  • MAC Media Access Control
  • the BRAS receives the information and modifies a connection table to include the information. This provides the BRAS with an accurate view of the location and connectivity of the wireless devices connected to the network.
  • the BRAS reports the modified information of the roaming user terminal to the AAA server. This information could be reported in the form of a connection table.
  • the connection table includes an identifier (ID) of the roaming user terminal, MAC of the roaming user terminal, IP of the roaming user terminal, VLAN of the roaming user terminal and state of the roaming user terminal.
  • connection table reported to the AAA server by the BRAS when a certain roaming user terminal is authenticated for the first time is shown in Table 1 .
  • the roaming user terminal modifies reported information as shown in Table 2, according to information reported by the access controller. Therefore, the BRAS reports the modified information of the roaming user terminal to the AAA server. ID of MAC of roaming user IP of roaming user VLAN of State of device terminal terminal roaming roaming user user terminal terminal
  • the AAA server updates table item information related to access of the roaming user terminal.
  • the original table item related information of the user stored in the AAA server is updated as shown in Table 4, according to the information reported by the BRAS.
  • the AAA server sends a confirmation message the BRAS, reporting that the update is complete.
  • the BRAS allows the roaming user terminal to access the network with IP address of changed VLAN.
  • the roaming user terminal directly accesses the network.
  • the roaming user terminal may directly access the network without further authentication.
  • the illustrative method described above also allows the roaming user terminal to directly access the network with IP address of the changed VLAN without re-authentication.
  • Fig. 3 is a diagram of an illustrative system for preventing a roaming user terminal from re-authentication.
  • the system includes an access controller detecting module (301 ) located in an access controller (120), a BRAS processing module (302) located in the BRAS (1 10), and an AAA Server processing module (303) located in the AAA server (1 15).
  • the controller detecting module, BRAS processing module and AAA Server processing module may be hardware or software modules or a combination thereof.
  • the modules may be implemented as machine readable instructions stored in a memory and executable by a processor or as electronic logic or circuitry designed to execute the functions described below.
  • the access controller detecting module (301 ) is designed to receive an access request from a roaming user terminal, and detect whether the VLAN of the roaming user terminal changes.
  • the access controller detecting module (301 ) compares the pre-roaming VLAN of the roaming user terminal stored in the access controller with the after-roaming VLAN of the roaming user terminal. When the pre-roaming VLAN is the same as the after-roaming VLAN, the access controller detecting module (301 ) determines the VLAN of the roaming user terminal is unchanged. Otherwise, the access controller detecting module (301 ) determines the VLAN of the roaming user terminal has changed.
  • the access controller detecting module (301 ) reports the roaming user terminal information to the BRAS processing module (302). If no change is detected, the roaming user terminal directly accesses the network.
  • the roaming user terminal information reported by the access controller detecting module (301 ) may include a variety of data.
  • the terminal information may include an identifier of a logic port accessed by the roaming user terminal. This logic port identifier may include an AC name/identifier+ an AP name/identifier+ an actual radio name/identifier+ a logic port name/identifier.
  • the terminal information may also include a unique identifier of the roaming user terminal: MAC of the roaming user terminal, IP information of unchanged VLAN of the roaming user terminal, and IP information of changed VLAN of the roaming user terminal.
  • the terminal information may also include a state of the roaming user terminal (roaming or not roaming) and time of the change in state.
  • the BRAS processing module (302) connects with the access controller detecting module (301 ) and the AAA server processing module (303) and receives the changed information about the roaming user terminal reported by the access controller detecting module (301 ).
  • the BRAS processing module modifies the BRAS table according to the changed information and reports the changed information to the AAA server processing module (303).
  • the BRAS (1 10) receives a confirmation message sent by the AAA server processing module (303) reporting that the update is complete.
  • the roaming user terminal is then allowed to access the network with the IP address of the changed VLAN.
  • the modified roaming user terminal information reported by the BRAS processing module (302) to the AAA server processing module (303) includes: an ID of the roaming user terminal, MAC of the roaming user terminal, IP of the roaming user terminal, VLAN of the roaming user terminal and state of the roaming user terminal.
  • the AAA server processing module (303) connects with the BRAS processing module (302) and receives the changed information of the roaming user terminal reported by the BRAS processing module (302).
  • the AAA server modifies entries in the AAA server table according to the changed information and sends a confirmation of the update to the BRAS processing module (302).
  • the access controller (120), the BRAS (1 10), and the AAA server (1 15) may be implemented separately on appropriate computing devices interconnected by the Ethernet.
  • the access controller (120), BRAS (1 10), and the AAA server (1 15) may be implemented, separately or in combination on multi-core processors.
  • FIG. 4 shows a system for preventing a roaming user terminal from re-authentication that includes a roaming user terminal (401 ), an access controller (402), a BRAS (403) and an AAA server (404).
  • the roaming user terminal (401 ) sends an access request to the access controller (402).
  • the access controller (402) detects whether VLAN of the roaming user terminal (401 ) has changed.
  • the access controller (402) reports the changed information of the roaming user terminal to the BRAS (403).
  • the BRAS (403) receives the changed information, including the changed VLAN reported by the access controller (402).
  • the BRAS modifies the corresponding table items and reports the updated roaming user terminal information to the AAA server (404).
  • the AAA server (404) After receiving the modified information reported by the BRAS (403), the AAA server (404) updates a corresponding AAA table and sends a confirmation message to the BRAS (403) indicating that the update is complete. This allows the roaming user terminal (401 ) to access the network with the IP address of the changed VLAN.
  • the access controller (402) When detecting that the VLAN of the roaming user terminal (401 ) has not changed, the access controller (402) allows the roaming user terminal (401 ) to directly access the network with the IP address of the unchanged VLAN.
  • the systems and methods described above allow a roaming user terminal to migrate between access points and VLANs in a wireless network without re-authentication. This can be accomplished by detecting changes in the access points and/or the VLAN the roaming user terminal is connected to and updating tables in the access controller, BRAS, and AAA server. Appropriate information is then returned to the BRAS to allow a properly authenticated user terminal to migrate between access points without re-authentication.
  • the roaming user terminal is allowed to access a network with an Internet Protocol (IP) address of changed VLAN.
  • IP Internet Protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and device for preventing a roaming user terminal from re-authentication are provided. The method includes: when Virtual Local Area Network (VLAN) of a roaming user terminal changes, change information of the roaming user terminal is reported to a Broadband Remote Access Server (BRAS) via an Access Controller (AC) and the BRAS reports modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA server).

Description

PREVENTING ROAMING USER TERMINAL RE-AUTHENTICATION
BACKGROUND
[0001 ] Computing devices are becoming more mobile and more connected. When a wireless computing device migrates from a first access point to a second access point within a wireless network, re-authentication may be triggered. The re-authentication can disrupt the wireless service to the computing device and may disrupt the user's experience.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] The accompanying drawings illustrate various examples of the principles described herein and are a part of the specification. The illustrated examples are merely examples and do not limit the scope of the claims.
[0003] Fig. 1 is a diagram of a wireless network, according to one example of principles described herein.
[0004] Fig. 2 is a flowchart of an illustrative method for preventing a roaming user terminal from re-authentication, according to one example of principles described herein.
[0005] Fig. 3 is a diagram of an illustrative system for preventing a roaming user terminal from re-authenticating, according to one example of principles described herein. [0006] Fig. 4 is a diagram of an illustrative system for preventing a roaming user terminal from re-authenticating, according to one example of principles described herein.
[0007] Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements.
DETAILED DESCRIPTION
[0008] Computing devices can connect to each other and a variety of networks using a number of communication technologies. Wireless Local Area Network (WLAN) technologies are a communication technology that is widely used and includes the popular Wireless Fidelity (Wi-Fi) technology. Wireless networking allows two or more points to communicate that are not physically connected.
[0009] In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present systems and methods. It will be apparent, however, to one skilled in the art that the present apparatus, systems and methods may be practiced without these specific details. Reference in the specification to "an example" or similar language means that a particular feature, structure, or characteristic described in connection with the example is included in at least that one example, but not necessarily in other examples.
[0010] Fig. 1 shows a centralized WLAN architecture (100) that includes Access Controllers (AC) (120, 122) and Access Points (AP) (125). The access controllers (120,122) can provide session control and traffic/bandwidth management for access points (125,127). For example, the access controllers (120,122) may make automatic adjustments to the transmitting power, channels, authentication, and security. The access points (125, 127) provide wireless connectivity to remote user terminals (130) by receiving and sending of wireless packets. In some implementations, the access controllers (120, 122) may be part of a mobility domain to allow clients access throughout large or regional office locations. As the remote user terminal (130) physically moves in relation to the access points (125, 127), the remote user terminal (130) can switch from a first access point (125) to a second access point (127) by dropping connectivity with a first access point (125) and picking up connectivity with a second access point (127). This often requires re-authentication of the remote user terminal (130). The re- authentication can disrupt the wireless service to the remote user terminal (130) and may disrupt the user's experience.
[001 1 ] Another component within the WLAN architecture (100) is a Broadband Remote Access Server (BRAS) (1 10). The BRAS (1 10) routes traffic between the access controllers (120,122) and a network (105). For example, the network may be a Metropolitan Area Network (MAN) that accesses the internet. The BRAS (1 10) aggregates remote user terminal (130) sessions from the access controllers (120,122), injects policy management and enforces quality of service policies. The BRAS (1 10) is also responsible for assigning network parameters such as Internet Protocol (IP) addresses to the clients. A remote user terminal is authenticated by sending an access request to the access controller (120) via an access point (125). This access request is then passed to the BRAS (1 10). The BRAS (1 10) sends an authentication request and corresponding user information to an Authentication, Authorization, Accounting server (AAA server) (1 15). The AAA server (1 15) determines whether the remote user terminal (130) is a valid user, validates user credentials, and determines which serving strategy should be applied for the user, and sends the results to the BRAS (1 10) device. The BRAS (1 10) device executes actions according to results returned by the AAA server (1 15). The remote user terminal (130) can then access the network (105).
[0012] Wireless networks are adapted to provide connectivity to a variety of remote user terminals (130). When a remote user terminal (130) migrates from a first access point (125) to a second access point (127), the user's IP address within the Virtual Local Area Network (VLAN) may change. This triggers re-authentication of the remote user terminal (130) on the network (105). As discussed above, this re-authentication may include sending a re- authentication request from the remote user terminal (130) through the new access point (127) and its associated access controller (122) to the BRAS (1 10). The BRAS (1 10) then sends the authentication request to the AAA server (1 15). If the AAA server (1 15) validates the request, the BRAS (1 10) provides access to the remote user terminal (130) through the new access point (127) via its associated access controller (122). This process can disrupt communication between the remote user terminal (130) and the network (105). This disruption in service can significantly affect a user's experience. For example, if the user is consuming streaming media, the media stream would be disrupted. If the user is downloading a file, the downloading may be terminated and the user may have to start over with the download.
[0013] In some implementations, re-authentication can be prevented by modifying the user's credentials and/or communication stream at the access controller (120, 122) to conceal the migration between access points (125) from BRAS(1 10). For example, the access controller (120, 122) determines when a remote user terminal (130) moves between access points (125). Then the access controller (120, 122) can encapsulate packets sent from the wireless network (105) and passed to the BRAS (1 10) so that the packets appear to have originated with the original access point (125). Thus, although the user is roaming, the BRAS (1 10) does not perceive the change in wireless access points and the IP address of the remote user terminal (130) remains the same.
[0014] If the remote user terminal (130) migrates from a first access point (125) controlled by a first access controller (120) to a second access point (127) controlled by a different access controller (122), the two access controllers (120, 122) can synchronize remote user terminal (130) information and continue to mask the migration between access points (125, 127). Data from the network (105) addressed to the remote user terminal (130) is transmitted transparently to the original access controller (120) and then forwarded to the new access controller (122) for distribution to the remote user terminal (130).
[0015] This method shields migration of the remote user terminal (130) from the BRAS (1 10) but can create a number of inefficiencies in the wireless network (105). For example, the BRAS (1 10) is unaware of the actual location of the remote user terminal (130) and is unable to accurately assess bandwidth controls and quality of services policies. This technique can also interfere with individualized control of different access points (125, 127).
[001 6] Fig. 2 is a flowchart of one illustrative method for preventing a roaming user terminal from re-authentication. In block 201 , a roaming wireless device communicates wirelessly with an access controller for WLAN correlation, to request access to the network, and to provide user data related with various network application services. For example, the user data may include a Uniform Resource Locator (URL) that the user desires to view on an internet browser.
[0017] In block 202, the access controller detects whether the wireless device has changed access points or moved between Virtual Local Area Networks (VLAN). A VLAN is a group of hosts with a common set of requirements that communicate as if they are attached to the same broadcast domain, regardless of their physical location. If no change is detected, the method proceeds to block 209 and provides the user with authentication and with direct access to the network as described above. If the access controller determines that the user has migrated to a different access point or VLAN, the access controller stores information identifying the change and the method proceeds to block 203.
[0018] For example, when a WLAN terminal sends a request to a first access point (125) for correlation, the first access point (125) may directly transmit the request transparently to the AC via a channel established between the first access point (125) and the AC. Subsequently, the AC may allow the WLAN terminal to access with correlation, record user information and AP information of the WLAN terminal. With migration of the WLAN terminal, when the WLAN terminal detecting that signal strength of a second access point (127) exceeds that of the first access point (125) and achieves a threshold, meanwhile packet loss rate between the WLAN terminal and the first access point (125) also achieves another threshold, the WLAN terminal may actively trigger roaming process, that is to say, may actively send a packet for re-correlation to the second access point (127). Similarly, the second access point (127) may not process the received packet for re-correlation, instead, send the packet to the AC via a channel established between the AC and the second access point (127). By querying previous user information, the AC may find that the WLAN terminal has already been correlated, learn the WLAN terminal currently accesses with a new access point, and confirm the WLAN terminal is a roaming user terminal. Thus, the AC may allow the WLAN terminal to re-correlate with the second access point (127). Subsequently, the WLAN terminal may send a packet to cancel the correlation with the first access point (125). The roaming is terminated.
[0019] In block 203, the access controller compares the current connection information of the roaming user terminal with the original pre- roaming connection information. This allows the access controller to determine if the migrating roaming user terminal is a legal user. Specifically speaking, there are two kinds of roaming, which are respectively roaming within an access controller and roaming between access controllers. Regarding the roaming within an access controller, a same access controller may directly obtain pre- roaming information. Regarding the roaming between access controllers, a roaming group may be set to include a pre-roaming access controller and an after-roaming access controller. Thus, the pre-roaming access controller and the after-roaming access controller may synchronize user information. When the roaming between access controllers occurs, the after-roaming access controller may learn pre-roaming information of a user by querying synchronized information. The access controller reports the current connection information of the wireless device to the BRAS.
[0020] Reported information of the roaming user terminal may include:
[0021 ] An identifier of a logic port accessed by the roaming user terminal: an access controller name/identifier+ an AP name/identifier + an actual radio name/identifier+ a logic port name/identifier;
[0022] a unique identifier of the roaming user terminal: Media Access Control (MAC) of the roaming user terminal, IP information of the roaming user terminal with unchanged VLAN, IP information of the roaming user terminal with changed VLAN;
[0023] state of the roaming user terminal: roaming;
[0024] time that the change of state occurs.
[0025] In block 204 the BRAS receives the information and modifies a connection table to include the information. This provides the BRAS with an accurate view of the location and connectivity of the wireless devices connected to the network.
[0026] In block 205, the BRAS reports the modified information of the roaming user terminal to the AAA server. This information could be reported in the form of a connection table. In one implementation, the connection table includes an identifier (ID) of the roaming user terminal, MAC of the roaming user terminal, IP of the roaming user terminal, VLAN of the roaming user terminal and state of the roaming user terminal.
[0027] For example, the connection table reported to the AAA server by the BRAS when a certain roaming user terminal is authenticated for the first time is shown in Table 1 .
Table 1
[0028] After roaming, the roaming user terminal modifies reported information as shown in Table 2, according to information reported by the access controller. Therefore, the BRAS reports the modified information of the roaming user terminal to the AAA server. ID of MAC of roaming user IP of roaming user VLAN of State of device terminal terminal roaming roaming user user terminal terminal
0 001 f-3cdd-25c5 1 61 Authentication
60.1 1 .161.36 is assed.
Table 2
[0029] In block 206, the AAA server updates table item information related to access of the roaming user terminal.
[0030] Information in original table item related with the roaming user terminal that is stored in the AAA server is shown in Table 3.
Table 3
[0031 ] After the user begins to roam, the original table item related information of the user stored in the AAA server is updated as shown in Table 4, according to the information reported by the BRAS.
Table 4
[0032] In block 207, the AAA server sends a confirmation message the BRAS, reporting that the update is complete.
[0033] In block 208, the BRAS allows the roaming user terminal to access the network with IP address of changed VLAN. [0034] In block 209, the roaming user terminal directly accesses the network.
[0035] According to the implementation shown in Figure 2, when there is no change of VLAN of the roaming user terminal, the roaming user terminal may directly access the network without further authentication. When the VLAN of the roaming user terminal changes, the illustrative method described above also allows the roaming user terminal to directly access the network with IP address of the changed VLAN without re-authentication.
[0036] Fig. 3 is a diagram of an illustrative system for preventing a roaming user terminal from re-authentication. The system includes an access controller detecting module (301 ) located in an access controller (120), a BRAS processing module (302) located in the BRAS (1 10), and an AAA Server processing module (303) located in the AAA server (1 15). The controller detecting module, BRAS processing module and AAA Server processing module may be hardware or software modules or a combination thereof. The modules may be implemented as machine readable instructions stored in a memory and executable by a processor or as electronic logic or circuitry designed to execute the functions described below.
[0037] The access controller detecting module (301 ) is designed to receive an access request from a roaming user terminal, and detect whether the VLAN of the roaming user terminal changes. The access controller detecting module (301 ) compares the pre-roaming VLAN of the roaming user terminal stored in the access controller with the after-roaming VLAN of the roaming user terminal. When the pre-roaming VLAN is the same as the after-roaming VLAN, the access controller detecting module (301 ) determines the VLAN of the roaming user terminal is unchanged. Otherwise, the access controller detecting module (301 ) determines the VLAN of the roaming user terminal has changed.
[0038] When a change in the VLAN of the roaming user terminal is detected, the access controller detecting module (301 ) reports the roaming user terminal information to the BRAS processing module (302). If no change is detected, the roaming user terminal directly accesses the network. [0039] The roaming user terminal information reported by the access controller detecting module (301 ) may include a variety of data. For example, the terminal information may include an identifier of a logic port accessed by the roaming user terminal. This logic port identifier may include an AC name/identifier+ an AP name/identifier+ an actual radio name/identifier+ a logic port name/identifier. The terminal information may also include a unique identifier of the roaming user terminal: MAC of the roaming user terminal, IP information of unchanged VLAN of the roaming user terminal, and IP information of changed VLAN of the roaming user terminal. The terminal information may also include a state of the roaming user terminal (roaming or not roaming) and time of the change in state.
[0040] The BRAS processing module (302) connects with the access controller detecting module (301 ) and the AAA server processing module (303) and receives the changed information about the roaming user terminal reported by the access controller detecting module (301 ). The BRAS processing module modifies the BRAS table according to the changed information and reports the changed information to the AAA server processing module (303). The BRAS (1 10) receives a confirmation message sent by the AAA server processing module (303) reporting that the update is complete. The roaming user terminal is then allowed to access the network with the IP address of the changed VLAN.
[0041 ] The modified roaming user terminal information reported by the BRAS processing module (302) to the AAA server processing module (303) includes: an ID of the roaming user terminal, MAC of the roaming user terminal, IP of the roaming user terminal, VLAN of the roaming user terminal and state of the roaming user terminal.
[0042] The AAA server processing module (303) connects with the BRAS processing module (302) and receives the changed information of the roaming user terminal reported by the BRAS processing module (302). The AAA server modifies entries in the AAA server table according to the changed information and sends a confirmation of the update to the BRAS processing module (302). [0043] In some implementations, the access controller (120), the BRAS (1 10), and the AAA server (1 15) may be implemented separately on appropriate computing devices interconnected by the Ethernet. The access controller (120), BRAS (1 10), and the AAA server (1 15) may be implemented, separately or in combination on multi-core processors.
[0044] Fig. 4 shows a system for preventing a roaming user terminal from re-authentication that includes a roaming user terminal (401 ), an access controller (402), a BRAS (403) and an AAA server (404).
[0045] The roaming user terminal (401 ) sends an access request to the access controller (402). After receiving the access request sent by the roaming user terminal (401 ), the access controller (402) detects whether VLAN of the roaming user terminal (401 ) has changed. When the VLAN of the roaming user terminal (401 ) is changed, the access controller (402) reports the changed information of the roaming user terminal to the BRAS (403). The BRAS (403) receives the changed information, including the changed VLAN reported by the access controller (402). The BRAS modifies the corresponding table items and reports the updated roaming user terminal information to the AAA server (404). After receiving the modified information reported by the BRAS (403), the AAA server (404) updates a corresponding AAA table and sends a confirmation message to the BRAS (403) indicating that the update is complete. This allows the roaming user terminal (401 ) to access the network with the IP address of the changed VLAN. When detecting that the VLAN of the roaming user terminal (401 ) has not changed, the access controller (402) allows the roaming user terminal (401 ) to directly access the network with the IP address of the unchanged VLAN.
[0046] In conclusion, the systems and methods described above allow a roaming user terminal to migrate between access points and VLANs in a wireless network without re-authentication. This can be accomplished by detecting changes in the access points and/or the VLAN the roaming user terminal is connected to and updating tables in the access controller, BRAS, and AAA server. Appropriate information is then returned to the BRAS to allow a properly authenticated user terminal to migrate between access points without re-authentication. The roaming user terminal is allowed to access a network with an Internet Protocol (IP) address of changed VLAN. Thus, re- authentication of the roaming user terminal with changed VLAN may be avoided while accurately updating the BRAS with the actual access point of the roaming user terminal.
[0047] The preceding description has been presented only to illustrate and describe examples of the principles described. This description is not intended to be exhaustive or to limit these principles to any precise form disclosed. Many modifications and variations are possible in light of the above teaching.

Claims

1 . A method for preventing a roaming user terminal from re-authentication, comprising:
a Broadband Remote Access Server (BRAS) receiving change information of a roaming user terminal reported by an Access Controller (AC); said change information indicating that Virtual Local Area Network (VLAN) of the roaming user terminal has changed;
the BRAS modifying table item information corresponding to the change information reported by the AC;
the BRAS reporting modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA Server);
the BRAS allowing access of the roaming user terminal to a network with an Internet Protocol (IP) address of a changed VLAN.
2. The method according to claim 1 , further comprising: the AAA server modifying corresponding table item information of the roaming user terminal based on the modified information of the roaming user terminal reported by the BRAS.
3. The method according to claim 2, further comprising:
the AAA server returning a confirmation that an update is complete; and after receiving the confirmation that the update is complete, the BRAS allowing the access of the roaming user terminal to the network with the IP address of the changed VLAN.
4. The method according to claim 1 , wherein the change information of the roaming user terminal reported by the AC comprises: an identifier of a logic port accessed by the roaming user terminal, a unique identifier of the roaming user terminal, a state of the roaming user terminal and a time that the state changed.
5. The method according to claim 4, wherein the identifier of the logic port accessed by the roaming user terminal comprises an AC name/identifier+ an Access Point (AP) name/identifier+ an actual radio name/identifier+ a logic port name/identifier.
6. The method according to claim 4, wherein the unique identifier of the roaming user terminal comprises Media Access Control (MAC) of the roaming user terminal, IP information of unchanged VLAN of the roaming user terminal, and IP information of the changed VLAN of the roaming user terminal.
7. The method according to claim 4, wherein the state of the roaming user terminal comprises an indication that the terminal is roaming, and the time that the state changed comprises a time at which roaming began.
8. The method according to claim 1 , wherein the modified information of the roaming user terminal reported by the BRAS to the AAA Server comprises an identifier (ID) of the roaming user terminal, the MAC of the roaming user terminal, the IP of the roaming user terminal, the VLAN of the roaming user terminal and the state of the roaming user terminal.
9. An Access Controller (AC) for preventing a roaming user terminal from re-authentication, the AC is to detect whether a Virtual Local Area Network (VLAN) of the roaming user terminal changes;
when detecting the VLAN changes, the AC is to store a changed VLAN of the roaming user terminal, report change information of the roaming user terminal to a Broadband Remote Access Server (BRAS); and when detecting the VLAN is not changed, the AC is to allow the roaming user terminal to access a network with an Internet Protocol (IP) address of unchanged VLAN.
10. The AC according to claim 9, wherein the AC is to compare pre- roaming VLAN of the roaming user terminal that is stored in the AC, with after- roaming VLAN of the roaming user terminal; when the pre-roaming VLAN and the after-roaming VLAN are the same, the AC is to determine that the VLAN of the roaming user terminal is unchanged, otherwise, the AC is to determine that the VLAN of the roaming user terminal is changed.
1 1 . The AC according to claim 10, wherein the change information of the roaming user terminal reported by the AC comprises: an identifier of a logic port accessed by the roaming user terminal, a unique identifier of the roaming user terminal, state of the roaming user terminal and time point for changing the state.
12. A Broadband Remote Access Server (BRAS) for preventing a roaming user terminal from re-authentication, wherein the BRAS is to receive change information of the roaming user terminal with changed Virtual Local Area Network (VLAN), which is reported by an Access Controller (AC), modify table item information related with access of the roaming user terminal, report modified change information of the roaming user terminal to an Authentication, Authorization, accounting server (AAA Server), receive a confirm update complete message sent by the AAA server, and allow the roaming user terminal to access a network with an Internet Protocol (IP) address of the changed VLAN.
13. The BRAS according to claim 12, wherein the change information of the roaming user terminal with the changed VLAN, which is reported by the AC comprises:
an identifier (ID) of a logic port accessed by the roaming user terminal, a unique ID of the roaming user terminal, state of the roaming user terminal and a time that the state changed.
14. The BRAS according to claim 13, wherein the ID of the logic port accessed by the roaming user terminal comprises an AC name/identifier+ an Access Point (AP) name/identifier+ an actual radio name/identifier+ a logic port name/identifier;
15. The BRAS according to claim 13, wherein the unique ID of the roaming user terminal is Media Access Control (MAC) of the roaming user terminal, IP information of unchanged VLAN of the roaming user terminal, and IP information of changed VLAN of the roaming user terminal.
1 6. The BRAS according to claim 15, wherein the state of the roaming user terminal is roaming and the time that the state changed comprises a time at which roaming began.
17. An Authentication, Authorization, Accounting server (AAA Server) for preventing a roaming user terminal from re-authentication, wherein the AAA server is to receive change information of the roaming user terminal with changed Virtual Local Area Network (VLAN), which is reported by a Broadband Remote Access Server (BRAS), modify table item information related with the roaming user terminal, and return a confirm update complete message to the BRAS.
18. A system for preventing a roaming user terminal from re-authentication, wherein the system comprises the roaming user terminal, an Access Controller (AC), a Broadband Remote Access Server (BRAS) and an Authentication, Authorization, Accounting server (AAA Server),
the roaming user terminal is to send an access request to the AC;
the AC is to:
detect whether a Virtual Local Area Network (VLAN) of the roaming user terminal requesting to access changes, when detecting the VLAN of the roaming user terminal changes;
store changed VLAN of the roaming user terminal;
report changed information of the roaming user terminal to the
BRAS; and
when detecting the VLAN of the roaming user terminal is not changed, allow the roaming user terminal to access a network with an Internet Protocol (IP) address of unchanged VLAN;
the BRAS is to: receive the changed information of the roaming user terminal with changed VLAN that is reported by the AC;
modify table item information related with access of the roaming user terminal;
report modified changed information of the roaming user terminal to the AAA server;
receive a confirmation that update is complete from the AAA server; and
allow the roaming user terminal to access the network with an IP address of the changed VLAN;
the AAA server is to modify table item information related with the roaming user terminal, according to the change information of the roaming user terminal with the changed VLAN, and return a confirm update complete message to the BRAS.
EP11851034.6A 2010-12-24 2011-12-22 Preventing roaming user terminal re-authentication Withdrawn EP2656649A4 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010621703.8A CN102075904B (en) 2010-12-24 2010-12-24 Method and device for preventing re-authentication of roaming user
PCT/CN2011/084426 WO2012083865A1 (en) 2010-12-24 2011-12-22 Preventing roaming user terminal re-authentication

Publications (2)

Publication Number Publication Date
EP2656649A1 true EP2656649A1 (en) 2013-10-30
EP2656649A4 EP2656649A4 (en) 2015-07-08

Family

ID=44034217

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11851034.6A Withdrawn EP2656649A4 (en) 2010-12-24 2011-12-22 Preventing roaming user terminal re-authentication

Country Status (4)

Country Link
US (1) US9173082B2 (en)
EP (1) EP2656649A4 (en)
CN (1) CN102075904B (en)
WO (1) WO2012083865A1 (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102075904B (en) 2010-12-24 2015-02-11 杭州华三通信技术有限公司 Method and device for preventing re-authentication of roaming user
CN102333295A (en) * 2011-10-25 2012-01-25 华为技术有限公司 Path creation method and roaming broadband remote access server
CN102882994B (en) * 2012-11-02 2015-05-06 华为技术有限公司 IP address assignment method and device and IP address acquisition method and device
CN103368780B (en) * 2013-07-22 2016-11-23 杭州华三通信技术有限公司 A kind of service control method and equipment
US9628853B2 (en) * 2013-09-30 2017-04-18 Apple Inc. Seamless display of video during connection switching
US10257162B2 (en) * 2015-02-16 2019-04-09 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for providing “anywhere access” for fixed broadband subscribers
CN104717216B (en) * 2015-03-12 2018-09-07 福建星网锐捷网络有限公司 A kind of access control method, device and core equipment
CN106488547B (en) * 2015-08-27 2020-02-14 华为技术有限公司 STA authentication data management method, device and equipment
CN105939519B (en) * 2015-08-27 2019-07-09 杭州迪普科技股份有限公司 A kind of authentication method and device
CN107786613B (en) 2016-08-30 2020-05-12 新华三技术有限公司 Broadband remote access server BRAS forwarding implementation method and device
CN107820246B (en) * 2016-09-14 2020-07-21 华为技术有限公司 User authentication method, device and system
CN106658498A (en) * 2016-12-05 2017-05-10 上海斐讯数据通信技术有限公司 Portal approved quick roaming method and WiFi device
CN107547562B (en) * 2017-09-25 2020-04-28 新华三技术有限公司 Portal authentication method and device
CN107995070B (en) * 2017-11-21 2020-12-08 新华三技术有限公司 IPOE-based networking control method and device and BRAS
CN109067788B (en) 2018-09-21 2020-06-09 新华三技术有限公司 Access authentication method and device
CN111478879B (en) * 2020-02-29 2022-05-24 新华三信息安全技术有限公司 DHCP (dynamic host configuration protocol) continuation method and device, electronic equipment and machine-readable storage medium
CN111787586B (en) * 2020-07-27 2022-10-21 新华三信息技术有限公司 Wireless roaming method and device
US11539731B2 (en) 2020-10-26 2022-12-27 Netskope, Inc. Dynamic hyper context-driven microsegmentation
US11700282B2 (en) 2020-10-26 2023-07-11 Netskope, Inc. Dynamic hyper context-driven microsegmentation
CN113993128B (en) * 2021-10-26 2024-04-12 迈普通信技术股份有限公司 Roaming method and device between APs

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7346772B2 (en) * 2002-11-15 2008-03-18 Cisco Technology, Inc. Method for fast, secure 802.11 re-association without additional authentication, accounting and authorization infrastructure
US20040203752A1 (en) * 2002-11-18 2004-10-14 Toshiba America Information Systems, Inc. Mobility communications system
US7434044B2 (en) * 2003-02-26 2008-10-07 Cisco Technology, Inc. Fast re-authentication with dynamic credentials
CN1323508C (en) 2003-12-17 2007-06-27 上海市高级人民法院 A Single Sign On method based on digital certificate
DE102004045147A1 (en) * 2004-09-17 2006-03-23 Fujitsu Ltd., Kawasaki A setting information distribution apparatus, method, program and medium, authentication setting transfer apparatus, method, program and medium, and setting information receiving program
US7917944B2 (en) * 2004-12-13 2011-03-29 Alcatel Lucent Secure authentication advertisement protocol
WO2006118497A1 (en) 2005-04-29 2006-11-09 Telefonaktiebolaget L M Ericsson (Publ) Operator shop selection
CN101026866A (en) * 2006-02-20 2007-08-29 华为技术有限公司 AK context cache method for wireless communication system
CN1822574A (en) 2006-03-17 2006-08-23 港湾网络有限公司 Method for connecting broad band user
CN101127707B (en) * 2007-09-21 2010-10-27 杭州华三通信技术有限公司 Data forwarding method and access point device
KR101276798B1 (en) * 2009-12-10 2013-06-19 한국전자통신연구원 System and method for offering communication provider selection service in distribution network
CN102075904B (en) * 2010-12-24 2015-02-11 杭州华三通信技术有限公司 Method and device for preventing re-authentication of roaming user

Also Published As

Publication number Publication date
CN102075904A (en) 2011-05-25
CN102075904B (en) 2015-02-11
WO2012083865A1 (en) 2012-06-28
US20130265941A1 (en) 2013-10-10
US9173082B2 (en) 2015-10-27
EP2656649A4 (en) 2015-07-08

Similar Documents

Publication Publication Date Title
US9173082B2 (en) Preventing roaming user terminal re-authentication
US11165689B2 (en) Service-based traffic forwarding in virtual networks
US11743728B2 (en) Cross access login controller
EP3445074B1 (en) Controlling access according to privileges of different user equipment
US9516625B2 (en) Methods and apparatuses for communicating content data to a communications terminal from a local data store
EP2317690B1 (en) A method and device for distributed security control in communication network system
WO2018208295A1 (en) Iot device connectivity, discovery, and networking
KR20140023435A (en) Communication method and system, access network device, and application server
US9756148B2 (en) Dynamic host configuration protocol release on behalf of a user
KR20160004854A (en) Apparatus and method for providing a service connection through access layer in wireless communication system
US10285054B2 (en) Method and system for storing and accessing client device information in a distributed set of nodes
CN105848131A (en) Method for realizing STA cross-domain roaming through cloud AC
KR102117434B1 (en) Method for improved handling of at least one communication exchange between a telecommunication network and at least one user equipment, telecommunication network, user equipment, systems, programs and computer program products
EP3214805B1 (en) Method and device for transmitting control signalling
JP2022501879A (en) Access authentication
CN103384365A (en) Method and system for network access, method for processing business and equipment
US20240283791A1 (en) Authorization of a User Equipment to Access a Resource
EP3503602B1 (en) Techniques for providing subscriber-specific routing of a roaming user equipment in a visited communication network
KR101481337B1 (en) Mobile Communication System Based on Software Defined Networks and Method for Processing Access of Mobile Equipment thereof
EP3503601B1 (en) Techniques for initiating a roaming communication link with a user equipment in a visited communication network
KR101300040B1 (en) Mobility Management System and Method for Distributed Mobility Management Network
CN103517341B (en) Split the method, system and device of flow in a kind of WLAN
KR101248954B1 (en) Multicast support method for distributed mobility management network
KR20220123071A (en) Reporting service for dynamic state information on datalinks
CN103929726B (en) Wireless LAN accesses control correlation technique and system in interacting with fixed network

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20130422

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
RA4 Supplementary search report drawn up and despatched (corrected)

Effective date: 20150608

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 12/06 20090101AFI20150601BHEP

Ipc: H04L 12/28 20060101ALI20150601BHEP

Ipc: H04L 12/46 20060101ALI20150601BHEP

Ipc: H04L 29/06 20060101ALI20150601BHEP

Ipc: H04W 8/02 20090101ALI20150601BHEP

17Q First examination report despatched

Effective date: 20160422

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20161103